Field of the Invention
Embodiments of the present invention relate to enterprise computing systems. More specifically, embodiments of the present invention relate to a method and an apparatus for determining an identity of a third-party user in a Security Assertion Markup Language (SAML) implementation of a web-service.
Related Art
Enterprise applications are increasingly moving towards a service-oriented architecture, and are exposing their functionality through web services. This migration is due in part to an increasing need for applications to integrate seamlessly in a heterogeneous customer environment. Moreover, it is desirable for these applications to provide a way to securely conduct operations involving their functionality.
The WS-Security (Web Service Security) standard defines a framework which facilitates ensuring the validity and integrity of these web service operations. In particular, the Security Assertion Markup Language (SAML) is one of the token profiles which is supported by the WS-Security standard. However, a Public Key Infrastructure (PKI)-based implementation of SAML (which does not involve a third-party assertion authority) requires a trust relationship to be established between web service consumer and producer using digital certificates. However, a PKI-based implementation only helps to validate the source and destination of the web service message, and does not help to ensure the identity of the user indicated in the WS-Security header. This is a problem because a different user might spoof the web service request coming from a trusted node at the origin. To the producer, the request is still valid since the request is originating from a trusted node. Hence, the producer processes the request, and in doing so trusts the identity of the user that sent the request.
This same problem exists when two sites (a first site and a second site) trust a producer and the second site spoofs the request with user information from the first site (assuming user information from the first site is public information, such as an email address, or is known or easily predictable).
This problem of verifying that a user is whom he declares to be is known as the identity proofing problem, and has existed in browser-based authentication systems for a long time. For browser-based applications, identity proofing is addressed through variety of knowledge-based authentication approaches, ranging from prompting a user with verification questions which are unique to the user, to dynamic questions which are based on a recent history of the user.
However, with web services, the nature of the transactions can be asynchronous and the system cannot rely on the user to respond to these knowledge-based questions in a timely manner.